Resolved FTP erro not listing directory

[fferraro87]

Hi,
i'm using Plesk Onyx Version 17.5.3 Update #27 (on Centos 7) and i've some problem to connect on FTP.

Specifically, when i connect via filezilla or other ftp client to my hosting, i've this error:

Status:    Connection established, waiting for welcome message...
Status:    Initializing TLS...
Status:    Verifying certificate...
Status:    TLS connection established.
Status:    Logged in
Status:    Retrieving directory listing...
Command:    PWD
Response:    257 "/" is the current directory
Command:    TYPE I
Response:    200 Type set to I
Command:    PORT 192,168,2,102,203,131
Response:    200 PORT command successful
Command:    MLSD
Error:    Connection timed out after 20 seconds of inactivity
Error:    Failed to retrieve directory listing

This server is behind a NAT, so i added MasqueradeAddress on /etc/proftpd.conf

this is my proftpd.conf

ServerName                      "ProFTPD"
#ServerType                     standalone
ServerType                      inetd
DefaultServer                   on
MasqueradeAddress               185.96.217.42
<Global>
DefaultRoot     ~               psacln
AllowOverwrite          on
<IfModule mod_tls.c>
        # common settings for all virtual hosts
        TLSEngine on
        TLSRequired off

        TLSLog /var/log/plesk/ftp_tls.log

        TLSRSACertificateFile /usr/local/psa/admin/conf/httpsd.pem
        TLSRSACertificateKeyFile /usr/local/psa/admin/conf/httpsd.pem

        # Authenticate clients that want to use FTP over TLS?
        TLSVerifyClient off

        # Allow SSL/TLS renegotiations when the client requests them, but
        # do not force the renegotations.  Some clients do not support
        # SSL/TLS renegotiations; when mod_tls forces a renegotiation, these
        # clients will close the data connection, or there will be a timeout
        # on an idle data connection.
        TLSRenegotiate none

        # As of ProFTPD 1.3.3rc1, mod_tls only accepts SSL/TLS data connections
        # that reuse the SSL session of the control connection, as a security measure.
        # Unfortunately, there are some clients (e.g. curl) which do not reuse SSL sessions.
        TLSOptions NoSessionReuseRequired
</IfModule>
</Global>
DefaultTransferMode     binary
UseFtpUsers                     on

TimesGMT                        off
SetEnv TZ :/etc/localtime
# Port 21 is the standard FTP port.
Port                            21
# Umask 022 is a good standard umask to prevent new dirs and files
# from being group and world writable.
Umask                           022

# To prevent DoS attacks, set the maximum number of child processes
# to 30.  If you need to allow more than 30 concurrent connections
# at once, simply increase this value.  Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd)
MaxInstances                    30

#Following part of this config file were generate by PSA automatically
#Any changes in this part will be overwritten by next manipulation
#with Anonymous FTP feature in PSA control panel.

#Include directive should point to place where FTP Virtual Hosts configurations
#preserved

ScoreboardFile /var/run/proftpd.scoreboard

# Primary log file mest be outside of system logrotate province

TransferLog /var/log/plesk/xferlog

#Change default group for new files and directories in vhosts dir to psacln

<Directory /var/www/vhosts>
        GroupOwner      psacln
</Directory>

# Enable PAM authentication
AuthPAM on
AuthPAMConfig proftpd

IdentLookups off
UseReverseDNS off

AuthGroupFile   /etc/group

Include /etc/proftpd.d/*.conf

But i've always that error.
How can i fix this error?

I've already try to follow this tutorial : How to configure a passive ports range for ProFTPd on a server behind a firewall?
But with no success. how can i do?
Thanks

 

[Bitpalast]

The article you followed is almost right, but not exactly. You will need this one: Unable to connect to FTP in passive mode

So add the passive ports range in the FTP server configuraion, then configure the firewall according to this article and the directory listing will work again.

 

[fferraro87]

The article you followed is almost right, but not exactly. You will need this one: Unable to connect to FTP in passive mode

So add the passive ports range in the FTP server configuraion, then configure the firewall according to this article and the directory listing will work again.

Hi, thanks for your support but also if i add PassivePorts directive inside /etc/proftpd.conf, i've always same error :
Now i've this proftpd.conf :

#
# To have more informations about Proftpd configuration
# look at : http://www.proftpd.org/
#

# This is a basic ProFTPD configuration file (rename it to
# 'proftpd.conf' for actual use.  It establishes a single server
# and a single anonymous login.  It assumes that you have a user/group
# "nobody" and "ftp" for normal operation and anon.

ServerName                      "ProFTPD"
#ServerType                     standalone
ServerType                      inetd
DefaultServer                   on
MasqueradeAddress               185.96.217.42
<Global>
DefaultRoot     ~               psacln
AllowOverwrite          on
PassivePorts                    49152 65534
<IfModule mod_tls.c>
        # common settings for all virtual hosts


        TLSLog /var/log/plesk/ftp_tls.log

        TLSRSACertificateFile /usr/local/psa/admin/conf/httpsd.pem
        TLSRSACertificateKeyFile /usr/local/psa/admin/conf/httpsd.pem

        # Authenticate clients that want to use FTP over TLS?
        TLSVerifyClient off

        # Allow SSL/TLS renegotiations when the client requests them, but
        # do not force the renegotations.  Some clients do not support
        # SSL/TLS renegotiations; when mod_tls forces a renegotiation, these
        # clients will close the data connection, or there will be a timeout
        # on an idle data connection.
        TLSRenegotiate none

        # As of ProFTPD 1.3.3rc1, mod_tls only accepts SSL/TLS data connections
        # that reuse the SSL session of the control connection, as a security measure.
        # Unfortunately, there are some clients (e.g. curl) which do not reuse SSL sessions.
        TLSOptions NoSessionReuseRequired
</IfModule>
</Global>

DefaultTransferMode     binary
UseFtpUsers                     on

TimesGMT                        off
SetEnv TZ :/etc/localtime
# Port 21 is the standard FTP port.
Port                            21
# Umask 022 is a good standard umask to prevent new dirs and files
# from being group and world writable.
Umask                           022

# To prevent DoS attacks, set the maximum number of child processes
# to 30.  If you need to allow more than 30 concurrent connections
# at once, simply increase this value.  Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd)
MaxInstances                    30

#Following part of this config file were generate by PSA automatically
#Any changes in this part will be overwritten by next manipulation
#with Anonymous FTP feature in PSA control panel.

#Include directive should point to place where FTP Virtual Hosts configurations
#preserved

ScoreboardFile /var/run/proftpd.scoreboard

# Primary log file mest be outside of system logrotate province

TransferLog /var/log/plesk/xferlog

#Change default group for new files and directories in vhosts dir to psacln

<Directory /var/www/vhosts>
        GroupOwner      psacln
</Directory>

# Enable PAM authentication
AuthPAM on
AuthPAMConfig proftpd

IdentLookups off
UseReverseDNS off

AuthGroupFile   /etc/group

Include /etc/proftpd.d/*.conf

i've try also to move PassivePorts outside Global section, but it's everything the same.

 

[Bitpalast]

Did you add the port range to the firewall as described?

 

[fferraro87]

Did you add the port range to the firewall as described?

yes i've attached a screenshot

 

[Bitpalast]

Yes, it should work. Port range is good, configuration is good and according to your FTP log FTP is using port 51587 for data, which is in the range.

In that case you need to check whether another software or a router is blocking the port range, e.g. a firewall confgured by your provider.

 

[fferraro87]

This VM is behind a fortigate firewall, i've to open also this port range on my fortigate?

 

[Bitpalast]

Yes.

 

[fferraro87]

Yes.

ok, can i put a smaller passiveports range?

 

[Bitpalast]

Sure, for example 50,000 - 60,000. There really is no risk with it, because if there is no other service behind the range, there is no attack opportunity. You can equally well keep the range as it is. But the ranges of software firewall, FTP passive ports configuration and your external firewall must all be in sync, meaning if you limit one to 50,000 - 60,000, all others must reflect that, too.

 

[fferraro87]

Sure, for example 50,000 - 60,000. There really is no risk with it, because if there is no other service behind the range, there is no attack opportunity. You can equally well keep the range as it is. But the ranges of software firewall, FTP passive ports configuration and your external firewall must all be in sync, meaning if you limit one to 50,000 - 60,000, all others must reflect that, too.

Ok thanks, now it works fine!
Thanks for your support